Page 126 - Cyber Defense eMagazine September 2023
P. 126
being as relevant as Cloud Access Security Brokers (CASB) for SAAS and Data Security Posture
Management for IAAS.
Enter APIs: the Invisible Workhorses of the Digital Age
APIs are the bridges enabling software applications to interact, share data, and execute business
functions. According to the 2022 Postman State of the API report, organizations are now utilizing an
average of 218 APIs – a testament to their increasing pervasiveness and the critical role they play in how
applications are consumed. Browsers, mobile apps and API platforms like Postman are now the three
most common ways by which modern applications are accessed.
But with this proliferation comes a new set of risks. APIs have become a prime target for hackers due to
the vast amount of sensitive data they handle and strong need for authentication and authorization, with
several high-profile data breaches in recent years being traced back to API vulnerabilities being exploited
by attackers.
This surge in API-related breaches is a clear indicator that API security is no longer an afterthought but
a primary requirement in DLP strategies, for several reasons:
1. API-centric data breaches: APIs often expose sensitive data in the payload, many times without
the right authentication and authorization controls, making them attractive targets for
cybercriminals. Their vulnerability to breaches necessitates robust API security measures. Broken
Object Level Authorization (BOLA) and Broken Function Level Authorization (BFLA) being top
attack vectors in OWASP API top 10 2023 as well
2. Growth in API development and usage: APIs are becoming increasingly ubiquitous. According to
the 2022 Postman State of the API report, organizations have an average of 218 APIs,
representing a significant increase from previous years. For example, Netflix reportedly receives
billions of API calls every day, underscoring how central APIs have become to their operations.
Gartner also chimed in on the growth of APIs, stating 94% of organizations use or are planning
to use public APIs provided by third parties; up from 52% in 2019; 90% of organizations use or
are planning to use private APIs provided by partners; up from 68% in 2019; and 80%
organizations provide or are planning to provide publicly exposed APIs; up from 46% in 2019.
With this increased reliance comes a higher number of potential points of failure, making API
security a growing priority for most CSO’s.
3. APIs have become the universal attack vector: What makes APIs so interesting from a hacker’s
perspective is that they expand the attack surface across all vectors. They now present the
largest attack surface we have ever encountered in the industry. In the past, hackers had to find
ways of bypassing existing solutions, such as WAFs, DLP, API Gateways, etc., in order to find
data and disrupt systems. Now, they can simply exploit an API, obtain unfettered access to
sensitive data, and not even have to exploit the other solutions in the security stack. Hence the
Cyber Defense eMagazine – September 2023 Edition 126
Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.